<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<section-title-en>2.9 A Computer Map</section-title-en>
<section-title-ch>2.9 计算机地图</section-title-ch>
<p-en>
	This section outlines the hardware components that make up a computer system based on the Intel architecture.
</p-en>
<p-ch>
	本节概述了构成基于Intel架构的计算机系统的硬件组件。
</p-ch>
<p-en>
	§2.9.1 summarizes the structure of a motherboard. This is necessary background for reasoning about the cost and impact of physical attacks against a computing system. §2.9.2 describes Intel's Management Engine, which plays a role in the computer's bootstrap process, and has significant security implications.
</p-en>
<p-ch>
	§2.9.1 概述了主板的结构。§2.9.2 描述了英特尔的管理引擎，它在计算机的启动过程中起着重要的作用，并具有重要的安全影响。
</p-ch>
<p-en>
	§2.9.3 presents the building blocks of an Intel processor, and §2.9.4 models an Intel execution core at a high level. This is the foundation for implementing defenses against physical attacks. Perhaps more importantly, reasoning about software attacks based on information leakage, such as timing attacks, requires understanding how a processor's computing resources are shared and partitioned between mutually distrusting parties.
</p-en>
<p-ch>
	§2.9.3介绍了英特尔处理器的构件，§2.9.4对英特尔执行核心进行了高层次的建模。这是实现防御物理攻击的基础。也许更重要的是，推理基于信息泄露的软件攻击，如时序攻击，需要了解处理器的计算资源如何在相互不信任的各方之间共享和分割。
</p-ch>
<p-en>
	The information in here is either contained in the SDM or in Intel's Optimization Reference Manual [96].
</p-en>
<p-ch>
	这里的信息要么包含在SDM中，要么包含在Intel的优化参考手册中[96]。
</p-ch>
<section-title-en>2.9.1 The Motherboard</section-title-en>
<section-title-ch>2.9.1 主板</section-title-ch>
<p-en>
	A computer's components are connected by a printed circuit board called a motherboard, shown in Figure 20, which consists of sockets connected by buses. Sockets connect chip-carrying packages to the board. The Intel documentation uses the term “package” to specifically refer to a CPU.
</p-en>
<p-ch>
	一台计算机的元件由一块称为主板的印刷电路板连接，如图20所示，主板由插座和总线连接而成。插座将携带芯片的封装连接到电路板上。英特尔文档中用 "封装 "一词特指CPU。
</p-ch>
<img src="fig.20.jpg" />
<p-en>
	Figure 20: The motherboard structures that are most relevant in a system security analysis.
</p-en>
<p-ch>
	图20：系统安全分析中最相关的主板结构。
</p-ch>
<p-en>
	The CPU (described in §2.9.3) hosts the execution cores that run the software stack shown in Figure 8 and described in §2.3, namely the SMM code, the hypervisor, operating systems, and application processes. The computer's main memory is provided by Dynamic RandomAccess Memory (DRAM) chips.
</p-en>
<p-ch>
	CPU(在§2.9.3中描述)承载着运行图8所示和§2.3中描述的软件栈的执行核心，即SMM代码、管理程序、操作系统和应用进程。计算机的主存储器由动态随机存取存储器（DRAM）芯片提供。
</p-ch>
<p-en>
	The Platform Controller Hub (PCH) houses (relatively) low-speed I/O controllers driving the slower buses in the system, like SATA, used by storage devices, and USB, used by input peripherals. The PCH is also known as the chipset. At a first approximation, the south bridge term in older documentation can also be considered as a synonym for PCH.
</p-en>
<p-ch>
	平台控制器集线器（PCH）容纳了（相对）低速I/O控制器，驱动系统中较慢的总线，如存储设备使用的SATA和输入外设使用的USB。PCH也被称为芯片组。初次近似，旧文档中的南桥一词也可以认为是PCH的同义词。
</p-ch>
<p-en>
	Motherboards also have a non-volatile (flash) memory chip that hosts firmware which implements the Unified Extensible Firmware Interface (UEFI) specification [180]. The firmware contains the boot code and the code that executes in System Management Mode (SMM, §2.3).
</p-en>
<p-ch>
	主板还有一个非易失性(闪存)内存芯片，其中存放着实现统一可扩展固件接口(UEFI)规范的固件[180]。该固件包含启动代码和在系统管理模式（SMM，§2.3）下执行的代码。
</p-ch>
<p-en>
	The components we care about are connected by the following buses: the Quick-Path Interconnect (QPI [91]), a network of point-to-point links that connect processors, the double data rate (DDR) bus that connects a CPU to DRAM, the Direct Media Interface (DMI) bus that connects a CPU to the PCH, the Peripheral Component Interconnect Express (PCIe) bus that connects a CPU to peripherals such as a Network Interface Card (NIC), and the Serial Programming Interface (SPI) used by the PCH to communicate with the flash memory.
</p-en>
<p-ch>
	我们关心的组件由以下总线连接：快速路径互连(QPI[91])，这是一个连接处理器的点对点链接网络，双数据速率(DDR)总线连接CPU和DRAM，直接媒体接口(DMI)总线连接CPU和PCH，外设组件互连快车(PCIe)总线连接CPU和外设，如网络接口卡(NIC)，以及PCH用于与闪存通信的串行编程接口(SPI)。
</p-ch>
<p-en>
	The PCIe bus is an extended, point-to-point version of the PCI standard, which provides a method for any peripheral connected to the bus to perform Direct Memory Access (DMA), transferring data to and from DRAM without involving an execution core and spending CPU cycles. The PCI standard includes a configuration mechanism that assigns a range of DRAM to each peripheral, but makes no provisions for restricting a peripheral's DRAM accesses to its assigned range.
</p-en>
<p-ch>
	PCIe总线是PCI标准的一个扩展的点对点版本，它为连接到总线的任何外设提供了一种执行直接内存访问（DMA）的方法，在不涉及执行核心和花费CPU周期的情况下，将数据传输到DRAM和从DRAM传输数据。PCI标准包括一个配置机制，该机制为每个外设分配一个DRAM的范围，但没有规定限制外设对其分配范围内的DRAM访问。
</p-ch>
<p-en>
	Network interfaces consist of a physical (PHY) module that converts the analog signals on the network media to and from digital bits, and a Media Access Control (MAC) module that implements a network-level protocol. Modern Intel-based motherboards forego a fullfledged NIC, and instead include an Ethernet [84] PHY module.
</p-en>
<p-ch>
	网络接口包括一个物理(PHY)模块和一个媒体访问控制(MAC)模块，前者将网络介质上的模拟信号转换为数字位，后者实现网络级协议。现代基于英特尔的主板放弃了一个完整的网卡，而是包括一个以太网[84]PHY模块。
</p-ch>
<section-title-en>2.9.2 The Intel Management Engine (ME)</section-title-en>
<section-title-ch>2.9.2 英特尔管理引擎(ME)</section-title-ch>
<p-en>
	Intel's Management Engine (ME) is an embedded computer that was initially designed for remote system management and troubleshooting of server-class systems that are often hosted in data centers. However, all of Intel's recent PCHs contain an ME [80], and it currently plays a crucial role in platform bootstrapping, which is described in detail in §2.13. Most of the information in this section is obtained from an Intel-sponsored book [162].
</p-en>
<p-ch>
	英特尔的管理引擎(ME)是一种嵌入式计算机，它最初是为服务器级系统的远程系统管理和故障诊断而设计的，这些系统通常托管在数据中心。然而，英特尔最近的所有PCH都包含一个ME[80]，目前它在平台引导中起着至关重要的作用，这将在§2.13中详细介绍。本节的大部分信息来自于英特尔赞助的一本书[162]。
</p-ch>
<p-en>
	The ME is part of Intel's Active Management Technology (AMT), which is marketed as a convenient way for IT administrators to troubleshoot and fix situations such as failing hardware, or a corrupted OS installation, without having to gain physical access to the impacted computer.
</p-en>
<p-ch>
	ME是英特尔主动管理技术(AMT)的一部分，该技术的市场定位是为IT管理员提供一种方便的方式，以排除和修复诸如硬件故障或操作系统安装损坏等情况，而无需实际访问受影响的计算机。
</p-ch>
<p-en>
	The Intel ME, shown in Figure 21, remains functional during most hardware failures because it is an entire embedded computer featuring its own execution core, bootstrap ROM, and internal RAM. The ME can be used for troubleshooting effectively thanks to an array of abilities that include overriding the CPU's boot vector and a DMA engine that can access the computer's DRAM. The ME provides remote access to the computer without any CPU support because it can use the System Management bus (SMBus) to access the motherboard's Ethernet PHY or an AMT-compatible NIC [100].
</p-en>
<p-ch>
	图21所示的英特尔ME在大多数硬件故障期间仍能正常工作，因为它是一个完整的嵌入式计算机，具有自己的执行内核、引导ROM和内部RAM。由于ME具有一系列能力，包括重写CPU的引导向量和一个可以访问计算机DRAM的DMA引擎，因此可以有效地用于故障诊断。ME可以在没有任何CPU支持的情况下对计算机进行远程访问，因为它可以使用系统管理总线(SMBus)访问主板的以太网PHY或与AMT兼容的网卡[100]。
</p-ch>
<img src="fig.21.jpg" />
<p-en>
	Figure 21: The Intel Management Engine (ME) is an embedded computer hosted in the PCH. The ME has its own execution core, ROM and SRAM. The ME can access the host's DRAM via a memory controller and a DMA controller. The ME is remotely accessible over the network, as it has direct access to an Ethernet PHY via the SMBus.
</p-en>
<p-ch>
	图21：英特尔管理引擎（ME）是托管在PCH中的嵌入式计算机。ME有自己的执行核心、ROM和SRAM。ME可以通过一个内存控制器和一个DMA控制器访问主机的DRAM。ME可以通过网络远程访问，因为它可以通过SMBus直接访问以太网PHY。
</p-ch>
<p-en>
	The Intel ME is connected to the motherboard's power supply using a power rail that stays active even when the host computer is in the Soft Off mode [100], known as ACPI G2/S5, where most of the computer's components are powered off [87], including the CPU and DRAM. For all practical purposes, this means that the ME's execution core is active as long as the power supply is still connected to a power source.
</p-en>
<p-ch>
	英特尔ME使用电源轨连接到主板的电源，即使主机处于软关机模式[100]，即ACPI G2/S5，计算机的大部分组件都处于关闭状态[87]，包括CPU和DRAM，也会保持活动状态。就所有实际目的而言，这意味着只要电源供给仍然连接到电源，ME的执行核心就处于激活状态。
</p-ch>
<p-en>
	In S5, the ME cannot access the DRAM, but it can still use its own internal memories. The ME can also still communicate with a remote party, as it can access the motherboard's Ethernet PHY via SMBus. This enables applications such as AMT's theft prevention, where a laptop equipped with a cellular modem can be tracked and permanently disabled as long as it has power and signal.
</p-en>
<p-ch>
	在S5中，ME不能访问DRAM，但它仍然可以使用自己的内部存储器。ME还可以与远程方进行通信，因为它可以通过SMBus访问主板的以太网PHY。这样一来，就可以实现AMT的防盗等应用，只要有电源和信号，就可以追踪装有蜂窝调制解调器的笔记本，并将其永久禁用。
</p-ch>
<p-en>
	As the ME remains active in deep power-saving modes, its design must rely on low-power components. The execution core is an Argonaut RISC Core (ARC) clocked at 200-400MHz, which is typically used in low-power embedded designs. On a very recent PCH [100], the internal SRAM has 640KB, and is shared with the Integrated Sensor Hub (ISH)'s core. The SMBus runs at 1MHz and, without CPU support, the motherboard's Ethernet PHY runs at 10Mpbs.
</p-en>
<p-ch>
	由于ME在深度省电模式下仍处于活动状态，因此其设计必须依赖低功耗元件。执行核心是一个时钟频率为200-400MHz的Argonaut RISC Core（ARC），它通常用于低功耗的嵌入式设计。在一个很新的PCH[100]上，内部SRAM有640KB，并与集成传感器枢纽(ISH)的核心共享。SMBus运行在1MHz，在没有CPU支持的情况下，主板的以太网PHY运行在10Mpbs。
</p-ch>
<p-en>
	When the host computer is powered on, the ME's execution core starts running code from the ME's bootstrap ROM. The bootstrap code loads the ME's software stack from the same flash chip that stores the host computer's firmware. The ME accesses the flash memory chip via an embedded SPI controller.
</p-en>
<p-ch>
	当主机开机时，ME的执行核心开始运行ME的引导ROM中的代码。引导代码从存储主机固件的同一闪存芯片加载ME的软件栈。ME通过一个嵌入式SPI控制器访问闪存芯片。
</p-ch>
<section-title-en>2.9.3 The Processor Die</section-title-en>
<section-title-ch>2.9.3 处理器模具</section-title-ch>
<p-en>
	An Intel processor's die, illustrated in Figure 22, is divided into two broad areas: the core area implements the instruction execution pipeline typically associated with CPUs, while the uncore provides functions that were traditionally hosted on separate chips, but are currently integrated on the CPU die to reduce latency and power consumption.
</p-en>
<p-ch>
	英特尔处理器的裸片，如图22所示，分为两大区域：核心区域实现了通常与CPU相关的指令执行流水线，而非核心区域则提供了传统上托管在单独芯片上的功能，但目前已集成在CPU裸片上，以减少延迟和功耗。
</p-ch>
<img src="fig.22.jpg" />
<p-en>
	Figure 22: The major components in a modern CPU package. §2.9.3 gives an uncore overview. §2.9.4 describes execution cores. §2.11.3 takes a deeper look at the uncore.
</p-en>
<p-ch>
	图22：现代CPU封装中的主要组件。 §2.9.3给出了非核心概述。 §2.9.4描述了执行核心。
</p-ch>
<p-en>
	At a conceptual level, the uncore of modern processors includes an integrated memory controller (iMC) that interfaces with the DDR bus, an integrated I/O controller (IIO) that implements PCIe bus lanes and interacts with the DMI bus, and a growing number of integrated peripherals, such as a Graphics Processing Unit (GPU). The uncore structure is described in some processor family datasheets [97, 98], and in the overview sections in Intel's uncore performance monitoring documentation [37, 90, 94].
</p-en>
<p-ch>
	在概念层面上，现代处理器的非核心包括一个与DDR总线接口的集成内存控制器(iMC)、一个实现PCIe总线通道并与DMI总线交互的集成I/O控制器(IIO)，以及越来越多的集成外设，如图形处理单元(GPU)。在一些处理器系列的数据表[97，98]和英特尔的非核心性能监控文档[37，90，94]中的概述部分对非核心结构进行了描述。
</p-ch>
<p-en>
	Security extensions to the Intel architecture, such as Trusted Execution Technology (TXT) [70] and Software Guard Extensions (SGX) [14, 139], rely on the fact that the processor die includes the memory and I/O controller, and thus can prevent any device from accessing protected memory areas via Direct Memory Access (DMA) transfers. §2.11.3 takes a deeper look at the uncore organization and at the machinery used to prevent unauthorized DMA transfers.
</p-en>
<p-ch>
	英特尔架构的安全扩展，如可信执行技术(TXT)[70]和软件卫士扩展(SGX)[14，139]，依赖于处理器裸片包括内存和I/O控制器的事实，因此可以防止任何设备通过直接内存访问(DMA)传输访问受保护的内存区域。 §2.11.3将更深入地研究非核心组织和用于防止未经授权的DMA传输的机械。
</p-ch>
<section-title-en>2.9.4 The Core</section-title-en>
<section-title-ch>2.9.4 核心</section-title-ch>
<p-en>
	Virtually all modern Intel processors have core areas consisting of multiple copies of the execution core circuitry, each of which is called a core. At the time of this writing, desktop-class Intel CPUs have 4 cores, and server-class CPUs have as many as 18 cores.
</p-en>
<p-ch>
	实际上，所有现代英特尔处理器都有由多个执行核心电路副本组成的核心区域，每个执行核心称为一个核心。在撰写本文时，桌面级英特尔CPU有4个核心，服务器级CPU有多达18个核心。
</p-ch>
<p-en>
	Most Intel CPUs feature hyper-threading, which means that a core (shown in Figure 23) has two copies of the register files backing the execution context described in §2.6, and can execute two separate streams of instructions simultaneously. Hyper-threading reduces the impact of memory stalls on the utilization of the fetch, decode and execution units.
</p-en>
<p-ch>
	大多数英特尔CPU都具有超线程功能，这意味着一个内核（如图23所示）有两个支持§2.6所述执行上下文的寄存器文件副本，可以同时执行两个独立的指令流。超线程减少了内存停滞对取、解码和执行单元利用率的影响。
</p-ch>
<img src="fig.23.jpg" />
<p-en>
	Figure 23: CPU core with two logical processors. Each logical processor has its own execution context and LAPIC (§2.12). All the other core resources are shared.
</p-en>
<p-ch>
	图23：具有两个逻辑处理器的CPU核。每个逻辑处理器都有自己的执行上下文和LAPIC（§2.12）。所有其他核心资源都是共享的。
</p-ch>
<p-en>
	A hyper-threaded core is exposed to system software as two logical processors (LPs), also named hardware threads in the Intel documentation. The logical processor abstraction allows the code used to distribute work across processors in a multi-processor system to function without any change on multi-core hyper-threaded processors.
</p-en>
<p-ch>
	一个超线程内核作为两个逻辑处理器（LP）暴露给系统软件，在英特尔文档中也被命名为硬件线程。逻辑处理器抽象允许多处理器系统中用于在处理器之间分配工作的代码在多核超线程处理器上不做任何改变地运行。
</p-ch>
<p-en>
	The high level of resource sharing introduced by hyper-threading introduces a security vulnerability. Software running on one logical processor can use the highresolution performance counter (RDTSCP, §2.4) [152] to get information about the instructions and memory access patterns of another piece of software that is executed on the other logical processor on the same core.
</p-en>
<p-ch>
	超线程引入的高度资源共享引入了一个安全漏洞。在一个逻辑处理器上运行的软件可以使用高解析性能计数器（RDTSCP，§2.4）[152]来获取在同一内核的另一个逻辑处理器上执行的另一个软件的指令和内存访问模式的信息。
</p-ch>
<p-en>
	That being said, the biggest downside of hyperthreading might be the fact that writing about Intel processors in a rigorous manner requires the use of the cumbersome term Logical Processor instead of the shorter and more intuitive “CPU core”, which can often be abbreviated to “core”.
</p-en>
<p-ch>
	说起来，超线程最大的弊端可能是，严谨地写英特尔处理器，需要使用繁琐的 "逻辑处理器"（Logical Processor），而不是更短更直观的 "CPU核心"（CPU core），后者往往可以缩写为 "核心"。
</p-ch>

</body>
</html>	